Slashdot Mirror
Microsoft Cracked
Lyserjic seems to have been first with the news. Some linkage: CNET. CNN. AP. MSNBC. BBC. MSNBC's story is a copy of the Wall Street Journal article which apparently broke the news - it's the most complete.What's known - the passwords were being sent to St. Petersburg, Russia. They probably had access for about three months.
While I agree with you that this is going to look bad in just about any light, a few things need to be kept firmly in view.
- We do *not* at this point know if the crackers in fact took source code. We know, according to Ballmer, that they did indeed *view* the code. But did they actually get hold of a copy? Without knowing this answer, we can't accurately predict if and how that source code will be distributed to the net.
- Yes, it's true, Microsoft will in all likelihood attempt to spin this as being all the fault of those nasty, evil, commie Open Source people. But is it? The best defense against FUD is the truth, and finding out just who did this, and why, will go a long, long way towards blunting the flood of bullshit that's even now beginning to emit from the general direction of the Pacific Northwest.
- What will Microsoft be able to claim as protection in the event the source *does* get out to the internet? Trade secret status? One of the most important things to come out of all that DeCSS litigation was, if I remember correctly, the statement from the judge that once a trade secret is publicized, no matter how, it's not a secret anymore. What, if anything, can MS use? Copyright violations? Won't hold water if any GNU or other public code is discovered in *their* code. Sure, they might try to invoke the DMCA or something like that, but honestly, what will they be able to prove or accomplish? Once the secret's out of the bag, it's *out* - whether or not that's a good thing.
Yeah, it's for almost damn sure that there's going to be a very, very ugly war of ideologies, rhetoric, and politics resulting from this little stunt. But the key for anyone who opposes Microsoft and its slipshod methodologies which produce, in my not-so-humble opinion, second-rate software, is to keep the debate focused upon the facts and the truth. This exploit was the result of a well-known security issue, one that's been around for months, and one which Microsoft *should* have been able to guard against. This exploit was more than likely the result of a rotten-to-the-core policy decision that allows Outlook to execute arbitrary code with nigh-unfettered access to the operating system internals.Yes, this hack was probably a very, VERY unwise decision by the culprits. Yes, there will be a truly astounding storm of shit over the matter. But, if Microsoft's opponents play their cards correctly and with a bit of savvy, there can be a world of good which comes out of it, too.
But first, maybe we should all sit back and try to figure out exactly what happened, how it happened, who caused it to happen, and most importantly, why it happened.
If nothing else, that approach will choke off some of these tiresome, pointless accusations and counteraccusations.
Chris Tembreull
Web Developer, NEC Systems, Inc.
Chris Tembreull
"My karma just ran over your dogma."
Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts, I think it's important to discuss just how bad it would be if they have actually had the source code for their operating systems stolen by these hackers. And not for Microsoft, no, but for people engaged in open source projects like Wine, or people building Windows compatible operating systems.
What are Microsoft going to end up doing? They now have the perfect ammunition to claim that these projects have received help in their tasks from people who are willing to engage in criminal persuits, and that these products have improved as a direct result of this crime. Then, all they need to do is take the creators of Wine to court over this, and hey presto, there goes a project which was making Linux look good against Windows.
Unfortunately, because of the hacker ethos about security and the fact that the ranks of open source programmers already include criminals (Randall Schwartz), judges without any real clue are quite likely to buy this.
.. because there have been so many blatant ones. How can anyone say that there isn't a Win32 equivalent of buffer overflows, or string format errors? One of those things they did somewhere down the line for performance was to yank some of the API parameter checking.
But so far, crackers haven't had to look for holes or real problems in the code, because *THE PUBLISHED API, ITSELF CAUSES HOLES*. Windows is still back at the "Morris Worm" days of security, if even that far along. How long ago was that?
The living have better things to do than to continue hating the dead.
--
Americans are bred for stupidity.
This quote taken from the Yahoo coverage..
"The code could also be purchased by an unscrupulous company looking to make its applications work more smoothly with Microsoft's dominant operating systems"
Who is 'unscrupolous'?, the company trying to improve their software for the greater good of everyone? I think it is the company that won't reveal the source code...the company that has systematically crippled/sabotaged other companies by keeping their 'intellectual' secrets under wraps in an attempt to leverage themselves into any software based market they see fit to at the expense of others.
I think this quote basically sums up the whole open source/closed source debate.....
Guy
Does anyone at all think before they post stuff like this? Just for once can we please not be subjected to the usual moronic childish chants of "microsoft sucks" and "see what happens when you don't run linux" ?
This incident is a simple case of social engineering when you look at it -- it's nothing to do with windows, nt nor any OS security. Some muppet ran an executable program that was sent to him/her and the program emailed some user-priviledge data _legally_ available to any program running in that user's context.
IMO the problem lies in their staff training -- don't run crap in work on a sensitive machine, especially if you've got high-level access via an extranet. Now that isn't too hard to understand, is it?
-- Writing a Haiku
in seventeen syllables
is very diffic
PGP KeyId: 0x08D63965
Remains? Since when has there been any integrity to MS code?
It's easy to blame NT, or Inoculate IT, but the real culprit is Outlook.
Microsoft's policy of helping users (even their own users apparently) run binaries and scripts from untrusted locations is absolutely insane. Yes, Inoculate IT should have stopped the virus (theoretically), yes, Windows NT should have more protection against attacks, but the key is that Outlook is a trojan fun house waiting to happen.
Unfortunately, for Microsoft anyway, the fix for this type of thing goes far beyond patching some buffer exploits. They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).
Indeed, Windows source code leaked. Here's a fragment.
/*printf("WelcometoWindows3.11");&nb sp;*/
/*printf("WelcometoWindows95");  ;*/
voidmain()
{
while(!CRASHED)
{
display_windows_logo();
display_copyright_message();
display_bill_rules_message();
do_nothing_loop();
look_for_new_hardware();
sleep(10);
look_again_for_new_hardware();
scandisk();
if(detect_cache())
disable_cache(); if(first_time_installation)
{
make_50_megabyte_swapfile();
do_nothing_loop();
totally_screw_up_HPFS_file_system();
search_and_destroy_the_rest_of_OS/2();
hang_system();
}
write_something(anything);
display_copyright_message();
do_nothing_loop();
do_some_stuff();
if(still_not_crashed)
{
display_copyright_message();
do_nothing_loop();
basically_run_windows_3.1();
do_nothing_loop();
do_nothing_loop();
}
}
if(detect_cache())
disable_cache_again();/*just to be sure*/
if(fast_cpu())
{
set_wait_states(lots);
set_mouse(speed,very_slow);
set_mouse(action,jumpy);
set_mouse(reaction,sometimes);
}
printf("WelcometoWindows98");
if(system_ok())
crash(to_dos_prompt);
else
system_memory=open("a:\swp0001.swp",O_CR EATE);
while(something)
{
sleep(5);
get_user_input();
sleep(5);
act_on_user_input();
sleep(5);
}
create_general_protection_fault();
}
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
Seriously, though... one of the more serious reasons that viruses/trojans spread more easily on Win32/Mac is "user imbecility/gullibility". And one reason (among many others!) why Linux/BSD was considered secure is that (1) users were much more sophisticated, and (2) the OS often compromised on security over 'ease-of-use'.
Today, with Linux (not BSD though (thankfully!)) reaching more and more into the newbie space (I'm just waiting for the first "for-newbies" distro (oh, wait, Corel comes to mind)), how long before something like this happens on a Linux box? Remember, there are a lot of newbies out there running Linux (and also Win2k/NT, for that matter) on their PCs with exactly one user account -- "root"! (or "administrator".)
Looking beyond the fan-boy name calling, there is a serious point behind this.
Microsoft has made a massive virtue of "making hard stuff easy"; underlying a lot of the products coming out of Redmond is the core value of "Trust us to do the hard stuff for you".
In that context, it's commerically damaging to have revealed to the world-at-large that even Microsoft can't rely on Microsoft to do the hard-stuff (security) for it.. And if Microsoft can't rely on themselves why should anyone else?
Not, I hasten to add, that I believe that this incident will have any long-term consequences of this action. I'm waaay too cynical to believe that any good can come of this.
--
I'd rather have a bottle in front of me than a frontal lobotomy
Your naiveté makes me hope you never administer any network I use.
The exact same type of crack could happen on ANY Unix machine, not properly safeguarded. Get an e-mail with a binary attachment, chmod 744 attachment, it runs, displayes a really cool screen hack or small game of some type. It also spawns a child process, but you're probably unaware of this.
This child process sniffs out passwords, because hey, any user account can sniff packets, not just root. People log into other computers, all the while this program gets user acct & password after user acct & password. It then sends out an e-mail to a remote address, listing all these new shiny user names & passwords, what machine they were connecting to, and voila, this cracker suddenly has user accounts. Now he's free to move onto higher level attacks.
Don't fool yourself for a second -- Microsoft's biggest mistake was that it wasn't using a more secure firewall to protect it's local machines - these machines should have been INVISIBLE to the entire internet, only available to MS's intranet.
Well, y'd have to be running some program as stupid as Outlook, which runs arbitrary executable attachments, inside your supposedly "clean environment". I can't imagine a competent UNIX sysadmin would set things up this way.
perl -e 'fork||print for split//,"hahahaha"'
All those are is host entries under, say, terrorists.net or hackerjack.com.
If you have a DNS that is acting on behalf of registered domains, it's IP address is registered to the registrar so their root servers can point to it.
So if you say you have a DNS server called "microsoft.com.is.secretly.run.by.illuminati.terro rists.net" it will show up there.
So can we agree that there's no "cracking" going on? Sure, it's a neat hack, but I've seen this thing in e-mails, on 4 different web "portals", and now in comments as well. Please, for the love of god, make it stop! :)
WWJD? JWRTFM!!!
Would you care to explain how?
Han-Wen Nienhuys -- LilyPond
Actually quite a few banks use unix for their core systems. I worked at places which use RS/6000's running AIX.
"the company couldn't say one way or the other whether source code had been stolen."
In other news, a new build of Wine was released today boasting 100% emulation of the Windows environment at native speeds. When asked to comment, the dev team replied "We could tell you how we did it, but then we'd have to kill you".
(note to morons : go check on freshmeat just in case!)
-Billco, Fnarg.com
St. Petersburg (!AP) -- St. Petersburg police have found the bodies of three young computer experts. The three were found in one of the their apartments, lying on the floor in front of their 486 running SuSE Linux.
"Our police experts stated that they were those who broke into Microsoft's servers and stole large amounts of code", says a police agent via translator. "Experts were able to tell from lengthy headers, pointless libraries, and pointers to nowhere-in-particular that this must be actual code for Windows 2000' successor."
After a preliminary exam, forensic pathologists state that their deaths were all caused by ruptured lungs.
"If I didn't know better, I would think that they would have died laughing", said the pathologist.
One of the police experts who determined that the code was in fact Microsoft's also began laughing uncontrollably, and was rushed to a nearby hospital. He remains in serious condition and on heavy sedatives.
DrQu+xum: Proof that the lameness filter doesn't work.
Al Gore has the quote "I invented the Internet" fused to his name. It's been used time and again to demonstrate Gore's penchant for hyperbole, his untrustworthiness as a leader. Many of you probably already know, though, that Gore never actually said that he created the Internet, but rather that he was the key political figure in the early days of funding the Internet (still an inflated claim, but nowhere near as sensational as the other.) Does the fact that he never actually said what countless media outless attribute to him, often as a direct quote, make any difference whatsoever to his image and reputation? Nope. The media and his opponents decided to nail him to the wall with a hyperbole of their own, and with a bit of hard work and luck, it has become Truth. Truth, in that wonderful Orwellian fashion of 'if all official sources report the lie as the Truth, then the lie becomes the Truth, and the truth a lie.'
It wouldn't matter how much you or I knew the truth, much like it doesn't matter that Al Gore never actually said that he invented the Internet. The Sheep and PHBs everywhere will swallow whetever pill they're given, and you can bet dollars to donuts that the story line wouldn't play out in favor of Open Source. If you think it's hard to convince your superiors to utilize an Open Source model now, try and imagine the brick wall you'd hit with your boss' brain automatically substituting "what happened to that stolen MS code" for "Open Source".
For the moderators out there, I'm not saying that I think Open Source is theft, just so that's sufficiently clear. I'm just saying that it's worth considering the damage that the mass media PR monster could do to the Open Source movement, especially in light of the fact that most major media outlets are heavily invested in (and guided by) large, mean corporations. Think about it.
Obliteracy: Words with explosions
Perhaps this is a UK-only phenomena. Eventually the BBC etc might stop assuming that their audience thinks of computers as huge semi-sentient boxes with spinning tape drives and flashing lights that talk to their operators. Or that Microsoft are the best and only software source in the world. ("How could this happen to Microsoft of all companies?" asked the same interviewer.)
And the use of "hacker"...
/me goes up in a puff of unsmoke.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Think about how many attempts to do this go unrewarded....in any given day. I think about how many scripts and 'sploits I see for *nix machines, and I don't see these kinds of numbers for NT boxes.
Why is it that a *nix box getting compromised = 'Excellent, now we can patch the hole', but an NT machine = their security "sucks"?
My personal opinion is that unix variants are more secure, stable, and so on, but NT is NOT a gaping hole into a given network, just not my 1st choice as a server.
Before the flames abound, my personal server is a linux box, I just didn't agree with this particular statement.
-Just because you're not paranoid doesn't mean they're not out to get you.
You really need to think before posting. Most of the security compromises you list for Linux are _local_ compromises. That means, you must already have a shell to do them. If you have a shell on Windows, getting root is even easier, unless you have all of the security updates. When NT4 was first released, almost every kernel call did not do proper checking, and you could comprimise security with _any_ kernel call. As far as _network_ security goes, securing Linux is just like securing any other OS - you check the network programs. The way you secure the console is by simply removing unwanted SUID programs. With Windows, you can assume that if someone is at the console or telnetted in (which you _can_ do with the proper software), you should assume they have administrator priviledges. As far as security advisories, most Linux security advisories come from the people developing the code, not from being cracked. This means you get to secure your machine _before_ script kiddies get their hands on things. With NT, the advisories are normally based on someone actually being cracked. Please think before posting, and make sure you understand the topic at hand.
I'm not even trying to say "Linux is better than Windows" with this post. I'm just pointing out that your arguments are comparing apples to oranges (network security to local machine security, and published exploits to theoretical problems).
Engineering and the Ultimate
order the biggest freakin' code review in history.
If I were a hostile cracker, I wouldn't go the "data hostage" route -- to risky. The police will follow the money.
Instead, posing as an engineer, I'd slip a few buffer overrun vulnerabilities, just where I could use it. Knowing the cruftiness of MS operating systems I'd have my own private back door into any system shipped with Windows for years to come.
Give a man a fish, and he'll eat for a day. Hand a fisherman a crate of hand grenades and he'll catch all the fish in the river.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.
For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites. CERT regularly has more Linux and Unix security advisories than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine come up with 84 downloadable exploits for Linux versus 39 for Windows.
The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.
Second Law of Blissful Ignorance
AVAILABLE - Slightly frazzled security Admin seeks Immediate Position after undertaking imposssible task at unnamed Redmond, WA. employer. Canned due to circumstances beyond control. Will take any offer not relating to windows. Added Plus - Able to interpret arcane source code for popular and possible unintentially Open Source Operating System (you hear that Larry E.?). Used to long hours and sleepless nights, anything's a change for the better. Looking for stock options (in a company that's still gonna be worth something in a month).
Imagination is the silver lining of Intelligence.
This has nothing to do with the OS used. It's an employee who introducedd the Trojan by opening an attachment.
Once again this prooves the weakest link in any security is the human factor.
"When I was a little kid my mother told me not to stare into the sun...
"If liberty means anything at all, it means the right to tell people what they do not want to hear"
Any project started within the last 3 months may be potentially vulnerable to a legal Denial of Service attack, yes.
I refuse, however, to believe that there's a Court of Law in the world that's bone-headed enough to believe that project X, running for Y years and fully documented in that time as an open project (cf WINE), has benefited from the unrelated, unadvertised and recent breaking out of MS source code.
Come on.. Doom-saying is all fun and games, but please do try and stay within the bounds of reality...
--
I'd rather have a bottle in front of me than a frontal lobotomy
This was PRECISELY my first thought when I read these pieces: this is a staged event for some reason as yet to be revealed.
Of course, as a reluctant user of NT, I *know* it's vulnerable, and the fact this occured doesn't surprise me at all. What IS surprising is we haven't heard more of this coming out of Redmond; it can't be the first time.
I don't think the possibility that this is a way for Microsoft to reign in the Open Source movement is paranoid AT ALL. With M$ having its market share threatened by Open Source stuff, why not create an excuse that the people releasing it are ripping off internal code stolen from M$. Indeed, it makes perfect sense, and it wouldn't surprise me if the lawsuits start flying within 6 months.
I worked at a place where we had REAL break-ins, and the last thing you want to tell your customers is that you've been hacked. The fact that M$ is being so forthright about this--in direct contradiction to the way they typically stonewall against any less-than-flattering news--points to an entirely different motivation than just being honest.
Remember, the people that report these stories have extensive relationships with M$. There can be no doubt that they are spinning this is such a way as to ultimately benefit M$, or any initiative that M$ may find to its liking.
By the wall, Randall is *NOT* a criminal. Yes, he was convicted, but that means about as much as the stain on Monica's dress. Judge for yourself; go here for more information.
"The more corrupt the state, the more numerous the laws."--Tacitus, The Histories
According to the report, unknown hackers managed to procur a password to Redhat's network servers. They then used the password to download the blueprints to all of Redhat's products. Even worse, the password was circulated widely over the internet, allowing thousands, potentially over a million hackers to repeat the exploit.
One person familiar with the case said it appeared the hackers initially gained access to Redhat's corporate computers by exploiting a hole in the company's "FTP" software. This software is used to transfer files between remote computers. The hackers discovered that the password "anonymous" allowed them access to all of Redhat's intellectual property.
Most damning of the report's accusations is the claim that internal Redhat officers have known about the vulnerability for months, even years, but failed to alert customers or close the security hole.
The breach may have allowed hackers to insert instructions into the blueprints for Redhat's products, including the recently released Redhat Linux 7. One anonymous insider called such practices "common." When asked if they were planning an extensive audit of their code, Redhat officials repeated their reply, "What the hell are you talking about?"
...what in the hell would hackers want with Microsoft's plans? Script kiddies, sure. Crackers, of course. But actual hackers? No self-respecting hacker would ant or need to crib from Microsoft's notes. That would be like copying off the paper of the class idiot.
"How perfectly Goddamn delightful it all is, to be sure" Charles Crumb
This may be a case of social engineering, but please don't gloss over the fact that it is Microsoft themselves who have repeatedly and loudly condemned Linux and who still, at this page on their site claim the Linux security model is weak. They spend a lot of time, money, and effort to put Linux in an extremely bad light. If they can't secure their own network using their own software, then I seriously question how their user base is to be expected to do the same. This points up how incredibly difficult it is to secure their software, yet they claim it is superior to other models out there.
Also, a quote from their spokesdroid, "We are confident that the integrity of Microsoft source code remains secure." (MSNBC article). I'm not so sure I believe them. Can they prove it? Is there any consulting firm in the world not on the Microsoft payroll who will be allowed to study their source to determine that it hasn't been trojaned by Russian subversives (or Steve Jobs or whoever cracked them)? I humbly suggest that from this day forward, there is no guarantee that any newly compiled software or patch hasn't been corrupted. While there's no need for gloating and "moronic childish chants", the fact remains that their source may be compromised and their security through obscurity model does not satisfy even the weakest security policies. This is not a problem we have with Linux or BSD-- which certainly have had holes in them, no denying it. But when you have someone telling you that you should trust them, and please pay mightily for our product, and, yes, you'll just have to trust us that it works the way we say it does (even though we can't seem to keep ourselves secure)-- oh and that Free software that you can obtain for a fraction of the cost and that you are able to review, modify, and share as you will? It sucks.
They do not deserve any leniency whatsoever. Their model is the one that is broken. It is based on trust. They can't buy that with any amount of marketing or legal shenanigans. Trust must be earned. And right now, they get none from me.
I do not have a signature
Richy C.
--
No matter how much you think Bill Gates is the anti-christ or hate Windows, this is most assuredly NOT good news. The judges, the lawyers, and the law enforcement that will certainly become involved in this case will look at one point, and one point only: someone broke the law. Know what else? They don't understand you, and they don't care that you want Wine to work better or an Open Source Windows.
In the interest of fairness, let's look at this from their point of view. "Hackers" (does anyone know what this word means anymore?) have been getting a lot of bad press lately. Hacking into Microsoft's site adds fuel to the fire. Stealing Microsoft's code is fanning the flames.
Everyone is making jokes about how insecure MS products are, as if Apache or Slashdot have never been compromised.
Even more worrisome is the opinion of the everyday, ordinary citizen. Some of which have made money off MS stock. Many of which use a computer, but aren't as "in" to them as we are. I bet you lunch that they see stuff like this and feel "insecure". And I guarantee you, when something like Carnivore comes along, the average person will suport it, because it makes, at least in their mind, the online world a safer place.
So laugh now about Microsoft's problem. Joke about an OSS Windows, regardless if they want it or not.
Ladies and Gentlemen, if you're old enough to understand, it's time to realize that this is most assuredly Not A Good Thing.
Disclaimer: MY computer runs Linux/BeOS.
Gee, somebody who GETS IT!
Take a PC, install a default copy of RH 6.2, hook it up to a static IP DSL modem. Come back in a month or two, and you'll find that you have at least 1 or 2 "volunteer" sysadmins!
The difference between NT and Linux is that you are given the control to make Linux VERY secure. You just aren't given the low-level control needed to make NT anywhere NEAR as secure.
It takes time, and extreme attention to detail - bit it CAN be done.
-Ben
I have no problem with your religion until you decide it's reason to deprive others of the truth.
It could have been in the attached MS Word .DOC file as well. And anyone who goes to ther MSDN site for various tech info, having to use IE with full ActiveX enabled to make the sites work right, is potentially infected. Or anyone using the MSDN Libraries, including MSVC Help, of recent couple years (which also don't work well without internet connection enabled).
Their whole "vision thing" of hypertext documents which seamlessly integrate your computer (via the MSDN Libraries, including compiler help files) into the Microsoft servers, reporting (if they wish so) anything you look up, any articles you read and for how long, anything you search for, which code samples you extract, ... even without coupling with ActiveX, is a virus/trojan handcrafted for industrial espionage, all by itself.
I wish only Bill Gates' machines and those of the other brains behind the Microsoft all-is-one (or is it one-is-all) "vision" got some of their own medicine.
BTW, I just typed in my first message in here, and this luxuriously spacious /. edit box with its eye pleasing courier font makes Microsoft Notepad seem like an ultra-ergonomic editor from the future. (The only cure for this is to make the web designer here use this exact edit box for three days for all of her editing work; by the second day the edit box would be twice as wide and three times as tall and user could set their own non-fixed pitch fonts. By the third day she would suggest dumping it altogether and using something like Userland's Manila editor .)
whois microsoft.com
also whois aol.com ; whois apple.com ; whois whitehouse.gov
How did they do it? Simple. Whenever you register a nameserver IP address, you have to include a domain name for the nameserver. I think the only thing checked is that the IP address pings and the domain name is part of a real domain.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
I don't care how M$ falls. They've made it clear that they'll stoop to any level to get more cash, but now the shoe is on the other foot. But I would not insert any windows code into a linux app. linux is not the OS of thieves. And that would make linux just as bad as M$.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
In fact, it's probably the biggest misconception he made.
Relying solely on a firewall is the single biggest mistake a company can make.
True, a proprely configured firewall can make a huge difference, but _real_ security involves securing every machine on the network. A firewall won't fix a problem with bad client (such as Outlook) executing code it's not supposed to. A firewall won't fix a problem with a web/mail/whatever server running behind it.
The bottom line is that if a machine needs to talk to the internet, it _needs_ to be secured, because an improperly written app can make any firewall completely useless.
"These were all very bright boys - cheerful, helpful and good at their day programming jobs" said apartment resident Canya Bolyevtis. "But last weekend that changed when they started walking around in a daze after an all-night session, as if they had been exposed to some terribly traumatic thing."
Californian software analyst Rich McGee says the teens were foolish to allow themselves to be exposed to Microsoft source code.
"Here you have some very bright young guys with some Unix experience suddenly coming into contact with the C source for kernel32.dll. I think they were unprepared for the shock."
St. Petersburg police chief Konstantin Bolygubov thanked the public for the information that led to the arrests, saying it was the easiest raid he had done in a long time.
"When we broke down the door, none of them moved," he said. "They were all just staring in horror at the screen of a PC in the corner of the living room."
--- Hot Shot City is particularly good.
What about the claims by some that M$ uses portions of GPL'd code? If that was revealed in the any sources absconded with, could this not work in open source's favor? Granted, M$ will still take the position the material was illegally obtained (probably rightfully so) and try to supress it (fat fscking chance). This could give the free software movement some justifaction for its model and some teeth for any legal wrangling they felt they should do.
just a thought...
-'fester
It seems michael has forgotten to include the link to the original article on the Wall Street Journal - it's here - login 'slashdot123' passwd 'slashdot123'. Very long, comprehensive and insightful.
Richy C.
--
This reminds me very much of a point I have
frequently made to a friend of mine about
the security of his network.
He had claimed that he didn't need to worry about
security because his networking folks had
provided a very secure firewall.
"Really," I said, "Do you have any Windows
boxes on your network."
"Yes," he replied.
"Do they run Outlook?" I inquired.
"Yes," he replied.
"Then why do you bother to run a firewall at all?"
I went on to explain that anyone could infect
Windows boxes behind his firewall via email
(which almost every firewall in the world
is configured to pass). Once infected this
Windows box could subvert his whole network
and tunnel anything it needed back out via
SMTP (we do after all, have examples of
tunnelling IP via SMTP).
My friend thought I was nuts. Seems that something similar happened to Microsoft itself.
Guess I'm not nuts. There is no network
security on a network which has Windows
present.
If it's a outside job and the crackers beat MS' secuity, now the whole world+dog knows that MS software sucks in protecting data.
From all the articles, it looks like this was a Trojan that may have been secreted during the execution of some email attachment. Knowing MSFT, they'll probably spin this as a virus similar to Melissa or ILOVEYOU and the general public will stop blaming them.
After all, no one is calling for their heads after Melissa and ILOVEYOU even though the main reason they caused so much damage is the lack of security built into Outlook and the ease of using Virus Building Script. Instead we'll probably get a lot of hacker crackdowns with this breakin, perhaps another Kevin Mitnick type case where he got reamed for seeing Sun's Solaris source. It's very possible to see the culprits doing massive jail time for supposedly causing MSFT zillions of dollars in lost revenue by merely looking at the source like Sun did with Kevin Mitnick. This is especially possible in the current climate of UCITA and the DMCA. I wouldn't consider that a win, would you?
Second Law of Blissful Ignorance
I've seen some pretty dumb things on Slashdot and I've seen some pretty offensive things on Slashdot, but never a post like this.
This ranks up there with the jokes that came out after the Challenger accident and after Oklahoma City. The Kursk was a tragedy. It may not seem that way to an American, but it shattered the emotions of the Russian people. To further imply that Microsoft had any part in that tragedy is simply childish.
I've always considered the majority of Slashdot readers to be brats, but this goes to show that whatever Microsoft may do to fight the open-source movement, they'll probably win. Why? Because for the most part, it's people like you who make up and support that movement, people lacking any amount of maturity and decency, and for movements to succeed, they must at least be honorable in the face of their enemy.
Just sickening. Whoever moderated this up for being funny should be shot. Mark me down for flamebait or what have you, but the fact remains, many open-source zealots and programmers are simply brats.
From what the MSNBC article said, the crackers initially got access because some poor MS employee inadvertantly ran a trojan email attachment, then did some sort of password sniffing.
It should now be completely clear that attachment-running programs such as Outlook are dangerous and should not be used by any business which has sensitive data, i.e. any business at all. Any business which jeapordises my personal privacy by using such software is acting negligently, just as if they left their locks unlocked and their safe open at night.
I wish I could say that this marks the beginning of the end of such "back-door enabled" software. However I fear that this will not be the case.
perl -e 'fork||print for split//,"hahahaha"'
the earlier story about Wine running Excel and Word takes on new meaning.
Lacking <sarcasm> tags,
It's not as if they stole anything valuable, is it?
If there are so many exploits for Unixes and not NT, why is it that despite an apparent minority of servers, there are more defacements of NT sites?
Besides, as another poster pointed out, if we hear about a vulnerability in an open source OS, whether or not it's Unix-like, we can fix it a lot more easily than with closed-source NT.
Ah, yes, evil hackers from Russia stealing the "software blueprints". Smells like the plot of a James Bond movie.
"And now, Mr. Bond, by altering the blueprints I will be able to take control of every desktop computer on the planet! I'll have an entire cybernetic zombie legion at my disposal!"
"We're one step ahead of you, Smirnoff. Office is a very fragile piece of code. Change even one line and the whole thing will come crashing down like a house of cards. The worst you'll be able to do is crash every computer. And who would be able to tell the difference between that and the way Office normally runs, eh?"
"Curse you, James! Now I'll have to kill you by an incredibly intricate device which you'll no doubt escape. The only way out of your cell is to cross this tile floor. Land mines are hidden under nearly half the tiles. Fancy a game of full-contact Minesweeper, Mr. Bond?"
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
No. It's just about the software which comes with NT and Microsoft sells for NT and everybody uses on NT. An equally stupidly-designed UNIX mail reader would be equally bad. But most UNIX systems don't use such software.
perl -e 'fork||print for split//,"hahahaha"'
Just what we need. A high-profile company that has decent lobbying skills getting hacked just as we face more and more legislation against hacking.
And this on the hells of the story below about pushing for more UCITA support. crap.
---- The price of freedom is eternal vigilance. -Thomas Jefferson